[Bug 3478] New: Default "kill" action of seccomp sandbox is fragile
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sun Oct 2 05:54:27 AEDT 2022
https://bugzilla.mindrot.org/show_bug.cgi?id=3478
Bug ID: 3478
Summary: Default "kill" action of seccomp sandbox is fragile
Product: Portable OpenSSH
Version: v9.0p1
Hardware: All
URL: https://bugs.debian.org/991936
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: cjwatson at debian.org
Created attachment 3615
--> https://bugzilla.mindrot.org/attachment.cgi?id=3615&action=edit
Change seccomp sandbox default action to ENOSYS
>From time to time, glibc changes its syscall wrappers to make use of
new Linux kernel facilities. The strategy it uses for this is often to
try more recently-introduced syscalls, but fall back to older ones if
it gets ENOSYS, allowing it to cope gracefully with running on older
kernel versions.
Unlike (as I understand it) OpenBSD's pledge(2), sandboxing using
Linux's seccomp inherently violates the abstraction layer of C library
calls to at least some extent, forcing programs that use it to keep
track of changes to the C library. While OpenSSH has been doing a
reasonable job at keeping up with this, it's fragile and typically
reactive; I've had to update OpenSSH in Debian stable releases in the
past to keep up with new kernels, or sometimes edge cases on less
widely-used architectures. (In the linked bug, Julian also points out
that it can cause issues when running older userspace versions in
containers or similar on top of newer host kernels, as you might expect
from this class of problem.) I would like sshd to be less fragile
here.
The attached patch is one possible suggestion for making this less of a
problem in future. It passes the regression tests here, but is
otherwise definitely in the nature of an RFC.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list